ADVERTISEMENT

Exposed FCM keys leaves billions of users open to mass spam and phishing notifications

Neon version of Google's logo
Bernard Meyer
Bernard Meyer Senior Researcher
Aug 25, 2020 Updated: 6 December 2023 4 min read
Test Notification FCM
Users in Germany discussing on Reddit how they received multiple FCM spam notifications
Users in Germany discussing on Reddit how they received multiple FCM spam notifications
A screen capture of the type of spam FCM notifications from MS Teams
A screen capture of the type of spam FCM notifications from MS Teams
Picture of Abhishek Dharani, the Bangalore-based security researcher better known as “Abss.”
Abhishek Dharani, the Bangalore-based security researcher better known as “Abss.”

The most likely attacks using the Firebase vulnerability

ADVERTISEMENT
  • Google Play Music (5 billion installs)
  • Google Hangouts (1 billion installs)
  • YouTube Music (100 million installs)
  • YouTube Go (500 million installs)
  • Smule Autorap (10 million installs)
  • Smule - The Social Singing App (100 million installs)
  • Deliveroo (10 million installs)
A forum on Microsoft's site discussing the new FCM message notification attack
A forum on Microsoft's site discussing the new FCM message notification attack
A proof of concept of Abss successfully manipulating push notifications for Google Play Music
A proof of concept of Abss successfully manipulating push notifications for Google Play Music

Protect yourself online with our hand-picked digital privacy tools

ADVERTISEMENT